Sounding the Alarm on Emergency Alert System Flaws

image
The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system. A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. It had the username and password for the system printed on the machine. The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals. "I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer," Pyle said in an interview with KrebsOnSecurity. "But nothing ever happened. I decided I wasn't going to tell anyone about it yet because I wanted to give people time to fix it." Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021. "I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,"'…

Source